| Version Addressed | Severity | CWE-ID | CVSS Score, Description | Reported By |
|---|---|---|---|---|
|
30 December 2019 |
High | CWE-94 | CVSS:3.1/PR:N · Installer RCE on settings file write | yelang123 (Stealien) |
| Medium | CWE-94 | CVSS:3.1/PR:H · Arbitrary upload paths & Local File Inclusion RCE | CNCERT | |
| Medium | CWE-79 | CVSS:3.1/PR:H · XSS via insufficient HTML sanitization of Blog feed & Extend data | Devilshakerz (MyBB Team) | |
| Low | CWE-601 | CVSS:3.1/PR:N · Open redirect on login | Jyoti Raval (Qualys) | |
| Low | CWE-79 | CVSS:3.1/PR:N · SCEditor reflected XSS | Cillian Collins, bl4ckh4ck5 | |
|
10 June 2019 |
High | CWE-94 | CVSS:3.1/PR:H · Theme import stylesheet name RCE [1] | Simon Scannell and Robin Peraglie (RIPS Technologies) |
| High | CWE-79 | CVSS:3.1/PR:N · Nested video MyCode persistent XSS [1] | Simon Scannell and Robin Peraglie (RIPS Technologies) | |
| Medium | CWE-79 | CVSS:3.1/PR:H · Find Orphaned Attachments reflected XSS | Simon Scannell (RIPS Technologies) | |
| Medium | CWE-79 | CVSS:3.1/PR:L · Post edit reflected XSS | adm1nkyj (ENKI) | |
| Medium | CWE-89 | CVSS:3.1/PR:L · Private Messaging folders SQL injection | Alex (DiscoveryGC) | |
| Low | CWE-502 | CVSS:3.1/PR:H · Potential phar deserialization through Upload Path | Simon Scannell (RIPS Technologies) | |
|
27 February 2019 |
Medium | CWE-79 | CVSS:3.1/PR:N · Reset Password reflected XSS | |
| Medium | CWE-79 | CVSS:3.1/PR:L · ModCP Profile Editor username reflected XSS | Jovan Zivanovic (MaTRIS Research Group, SBA Research) | |
| Low | CWE-352 | CVSS:3.1/PR:N · Predictable CSRF token for guest users | Devilshakerz (MyBB Team) | |
| Low | CWE-79 | CVSS:3.1/PR:H · ACP Stylesheet Properties XSS | Cillian Collins | |
| Low | CWE-200 | CVSS:3.1/PR:N · Reset Password username enumeration via email | Abdullah Md. Shaleh | |
|
11 September 2018 |
High | CWE-89 | CVSS:3.1/PR:N · Email field SQL Injection | StefanT |
| Medium | CWE-79 | CVSS:3.1/PR:N · Video MyCode Persistent XSS in Visual Editor | Numan OZDEMIR (InfinitumIT) | |
| Low | CWE-284 | CVSS:3.1/PR:L · Insufficient permission check in User CP's attachment management | StefanT | |
| Low | CWE-345 | CVSS:3.1/PR:L · Insufficient email address verification | StefanT | |
|
22 August 2018 |
High | Image MyCode "alt" attribute persistent XSS | Punisher_HF | |
| Medium | CWE-79 | CVSS:3.1/PR:N · RSS Atom 1.0 item title persistent XSS | 0xB9 | |
|
4 July 2018 |
High | CWE-79 | CVSS:3.1/PR:N · Image & URL MyCode Persistent XSS | Punisher_HF |
| Medium | CWE-79 | CVSS:3.1/PR:N · Multipage Reflected XSS | Dimaz Arno (Ethic Ninja) | |
| Low | CWE-79 | CVSS:3.1/PR:H · ACP logs XSS | Cillian Collins | |
| Low | CWE-22 | CVSS:3.1/PR:H · Arbitrary file deletion via ACP's Settings | Devilshakerz (MyBB Team) | |
| Low | CWE-352 | CVSS:3.1/PR:N · Login CSRF | Cillian Collins | |
| Low | CWE-20 | CVSS:3.1/PR:N · Non-video content embedding via Video MyCode | Punisher_HF | |
|
15 March 2018 |
Medium | CWE-98 | CVSS:3.1/PR:H · Tasks Local File Inclusion | Riley Baird |
| Medium | CWE-284 | CVSS:3.1/PR:N · Forum Password Check Bypass | Riley Baird | |
| Low | CWE-79 | CVSS:3.1/PR:H · Admin Permissions Group Title XSS | Nathaniel Suchy | |
| Low | CWE-79 | CVSS:3.1/PR:H · Attachment types file extension XSS | Nathaniel Suchy | |
| Low | CWE-79 | CVSS:3.1/PR:L · Moderator Tools XSS | Nathaniel Suchy | |
| Low | CWE-79 | CVSS:3.1/PR:H · Security Questions XSS | doylecc | |
| Low | CWE-79 | CVSS:3.1/PR:H · Settings Management XSS | Nathaniel Suchy | |
| Low | CWE-79 | CVSS:3.1/PR:H · Templates Set Name XSS | Nathaniel Suchy | |
| Low | CWE-79 | CVSS:3.1/PR:H · Usergroup Promotions XSS | Nathaniel Suchy | |
| Low | CWE-79 | CVSS:3.1/PR:H · Warning Types XSS | Nathaniel Suchy | |
|
28 November 2017 |
High | CWE-94 | CVSS:3.1/PR:H · Language file headers RCE | Julian Rittweger |
| Low | CWE-79 | CVSS:3.1/PR:H · Language Pack Properties XSS | Julian Rittweger | |
|
7 November 2017 |
High | CWE-94 | CVSS:3.1/PR:N · Installer RCE on configuration file write | pabstersac |
| High | CWE-94 | CVSS:3.1/PR:H · Language file headers RCE | Julian Rittweger | |
| Medium | CWE-79 | CVSS:3.1/PR:N · Installer XSS | pabstersac | |
| Medium | CWE-79 | CVSS:3.1/PR:L · Mod CP Edit Profile XSS | Julian Rittweger | |
| Low | CWE-284 | CVSS:3.1/PR:L · Insufficient moderator permission check in delayed moderation tools | Starpaul20 (MyBB Team) | |
| Low | CWE-79 | CVSS:3.1/PR:L · Announcements HTML filter bypass | ||
| Low | CWE-79 | CVSS:3.1/PR:H · Language Pack Properties XSS | Julian Rittweger | |
|
22 May 2017 |
Medium | CWE-284 | CVSS:3.1/PR:N · Insufficient permission check in multiquote feature | frostschutz |
| Medium | CWE-20 | CVSS:3.1/PR:L · CSV macro injection on PM export | Rico A. Silvallana | |
| Low | CWE-334 | CVSS:3.1/PR:N · Weak password reset codes & false positives | Devilshakerz (MyBB Team) | |
|
4 April 2017 |
High | CWE-79 | CVSS:3.1/PR:N · XSS Injection in Email MyCode | Zhiyang Zeng (Tencent security platform department) |
| Medium | CWE-918 | CVSS:3.1/PR:L · SSRF protection can be bypassed | Orange Tsai (DEVCORE), Jasveer Singh (SEC Consult Vulnerability Lab) | |
| Low | CWE-22 | CVSS:3.1/PR:H · Directory Traversal in smilie module | Zhiyang Zeng (Tencent security platform department) | |
|
21 December 2016 |
Low | CWE-352 | CVSS:3.1/PR:L · CSRF issue when removing subscriptions | Devilshakerz (MyBB Team) |
|
17 October 2016 |
Medium | CWE-22 | CVSS:3.1/PR:H · Style import CSS overwrite on Windows servers | patryk |
| Medium | CWE-89 | CVSS:3.1/PR:L · SQL Injection in the users data handler | afinepl | |
| Medium | SSRF attack in fetch_remote_file() | dawid_golunski | ||
| Medium | CWE-22 | CVSS:3.1/PR:N · Possible short name access to ACP backups on Windows servers | kevinoclam | |
| Low | CWE-79 | CVSS:3.1/PR:H · Stored XSS in the ACP | patryk | |
| Low | CWE-697 | CVSS:3.1/PR:N · Loose comparison false positives | Devilshakerz (MyBB Team) | |
| Low | CWE-79 | CVSS:3.1/PR:H · Possible XSS injection in ACP users module | afinepl | |
|
11 March 2016 |
Medium | CWE-89 | CVSS:3.1/PR:L · Possible SQL Injection in moderation tool | jamslater |
| Low | CWE-284 | CVSS:3.1/PR:N · Missing permission check in newreply.php | StefanT (MyBB Team) | |
| Low | CWE-79 | CVSS:3.1/PR:N · Possible XSS Injection on login | Devilshakerz (MyBB Team) | |
| Low | CWE-79 | CVSS:3.1/PR:N · Possible XSS Injection in member validation | Tim Coen | |
| Low | CWE-79 | CVSS:3.1/PR:L · Possible XSS Injection in User CP | Tim Coen | |
| Low | CWE-79 | CVSS:3.1/PR:L · Possible XSS Injection in Mod CP logs | Starpaul20 (MyBB Team) | |
| Low | CWE-79 | CVSS:3.1/PR:L · Possible XSS Injection when editing users in Mod CP | Tim Coen | |
| Low | CWE-79 | CVSS:3.1/PR:H · Possible XSS Injection when pruning logs in ACP | Devilshakerz (MyBB Team) | |
| Low | CWE-200 | CVSS:3.1/PR:H · Possibility of retrieving database details through templates | Tim Coen | |
| Low | CWE-200 | CVSS:3.1/PR:N · Disclosure of ACP path when sending mails from ACP | sarisisop | |
| Low | CWE-334 | CVSS:3.1/PR:N · Low adminsid & sid entropy | Devilshakerz (MyBB Team) | |
| Low | CWE-1021 | CVSS:3.1/PR:N · Clickjacking in ACP | DingjieYang | |
| Low | CWE-548 | CVSS:3.1/PR:N · Missing directory listing protection in upload directories | Tim Coen | |
|
7 September 2015 |
Medium | CWE-284 | CVSS:3.1/PR:N · Forum password bypass in xmlhttp.php | Devilshakerz (MyBB Team) |
| Low | SQL Injection in Grouppromotions module (ACP) | Devilshakerz (MyBB Team) | ||
| Low | CWE-79 | CVSS:3.1/PR:N · Possible XSS Injection in the error handler | FooBar123 | |
| Low | CWE-79 | CVSS:3.1/PR:N · Possible XSS issues in old upgrade files | FooBar123 | |
| Low | CWE-200 | CVSS:3.1/PR:N · Possible Full Path Disclosure in publicly accessible error log files | Devilshakerz (MyBB Team) | |
|
7 September 2015 |
Medium | Forum password bypass in xmlhttp.php | ||
| Low | SQL Injection in Grouppromotions module (ACP) | |||
| Low | Possible XSS Injection in the error handler | |||
| Low | Possible XSS issues in old upgrade files | |||
|
27 May 2015 |
Medium | CWE-287 | CVSS:3.1/PR:N · Reset password code check could be circumvented in member.php | solati.sadegh |
| Medium | CWE-345 | CVSS:3.1/PR:L · Sender email could be spoofed when sending an email to a user in member.php | onlinedevelopers | |
| Medium | CWE-284 | CVSS:3.1/PR:N · Permissions not checked for post search with old sid in search.php | pedder55655 | |
| Medium | CWE-79 | CVSS:3.1/PR:N · XSS in quick edit function of xmlhttp.php | TiberiusG | |
| Low | CWE-352 | CVSS:3.1/PR:H · CSRF in ACP mass mail cancellation | Destroy666 (MyBB Team) | |
| Low | Use of the U+200E Unicode character to create “duplicate” username | mahdy2021 | ||
|
27 May 2015 |
Medium | Reset password code check could be circumvented in member.php | ||
| Medium | Permissions not checked for post search with old sid in search.php | |||
| Low | CSRF in ACP mass mail cancellation | |||
| Low | Use of the U+200E Unicode character to create "duplicate" username | |||
| Low | Multiple XSS vulnerability requiring admin permissions | |||
| Low | A CSRF vulnerability within ACP login | |||
| Low | Cache handler using var_export without encoding checks | |||
|
15 February 2015 |
Medium | CWE-79 | CVSS:3.1/PR:N · A XSS vulnerability in member.php | ATofighi (MyBB Team) |
| Medium | CWE-79 | CVSS:3.1/PR:N · A XSS vulnerability in MyCode editor | Matthias Ungethüm | |
| Low | CWE-79 | CVSS:3.1/PR:H · Multiple XSS vulnerability requiring admin permissions | adamziaja, Devilshakerz, DingjieYang, sroesemann | |
| Low | CWE-352 | CVSS:3.1/PR:N · A CSRF vulnerability within ACP login | Devilshakerz | |
| Low | CWE-200 | CVSS:3.1/PR:L · Group join request notifications sent to wrong group leaders | Snake_ | |
| Low | CWE-172 | CVSS:3.1/PR:N · Cache handler using var_export without encoding checks | chtg | |
| No | CWE-200 | CVSS:3.1/PR:N · A full path disclosure vulnerability within JSON library | Nathan Malcolm | |
|
20 November 2014 |
High | CWE-89 | CVSS:3.1/PR:N · A SQL injection vulnerability in theme selection | StefanT (MyBB Team) |
| Medium | CWE-79 | CVSS:3.1/PR:L · A XSS vulnerability in calendar.php | -Acid | |
| Medium | CWE-79 | CVSS:3.1/PR:N · A XSS vulnerability in MyCode editor | My-BB.Ir | |
| Low | CWE-79 | CVSS:3.1/PR:H · A XSS vulnerability related to post icons | Destroy666 (MyBB Team) | |
| Low | CWE-502 | CVSS:3.1/PR:N · unserialize may call PHP magic methods | chtg | |
| Low | CWE-473 | CVSS:3.1/PR:N · PHP setting request_order can break register globals handling | chtg | |
|
20 November 2014 |
Low | A XSS vulnerability related to post icons | Destroy666 (MyBB Team) | |
| Low | A XSS vulnerability in admin/modules/style/templates.php | |||
| Low | A XSS vulnerability in admin/modules/config/languages.php | |||
| Low | unserialize may call PHP magic methods | chtg | ||
| Low | PHP setting request_order can break register globals handling | chtg | ||
|
13 November 2014 |
High | CWE-89 | CVSS:3.1/PR:N · A SQL injection vulnerability in member.php | |
| Medium | CWE-79 | CVSS:3.1/PR:L · A XSS vulnerability in report.php | ||
| Medium | CWE-79 | CVSS:3.1/PR:N · A XSS vulnerability in inc/class_parser.php | ||
| Low | CWE-79 | CVSS:3.1/PR:H · A XSS vulnerability in admin/modules/style/templates.php | ||
| Low | CWE-79 | CVSS:3.1/PR:H · A XSS vulnerability in admin/modules/config/languages.php | ||
|
4 August 2014 |
Medium | A XSS vulnerability in video MyCode | ||
|
30 June 2014 |
Medium | Possibility of executing PHP code through settings | GiantCrocodile | |
| Low | A XSS vulnerability in polls.php | AntiPaste | ||
| Low | A XSS vulnerability in portal.php | AntiPaste | ||
| Low | Password protected forums can be viewed from the portal | Nathan Malcolm | ||
| Low | Super moderators have more permissions than expected | JordanMussi (MyBB Team) | ||
|
26 April 2014 |
Medium | Possibility of executing PHP code through stylesheets | ||
| Medium | Possibility of executing PHP code through language files | |||
| Low | A XSS vulnerability in search system | |||
| Low | Potential weak random string generator | |||
|
30 December 2013 |
Medium | A SQL vulnerability when editing smilies in ACP | ChALkeR | |
| Medium | A SQL vulnerability when deleting posts with Akismet in ACP | ChALkeR | ||
| Medium | A XSS vulnerability in video MyCode | ChALkeR | ||
| Low | A XSS vulnerability in smilie popup | Spenzert |
Resolved Security Issues
Here you will find documented security issues addressed in past MyBB releases. Please note that the list may not include details of vulnerabilities in legacy branches. View Security Research to learn more or report security-related problems.